
Egress Hairpinning
I run a couple servers inside my network, mostly relying on a reverse-proxy to accept connections on TCP 443 and proxy the connections to the right internal server. I don't run separate internal v. external DNS. Instead, I have a more typical setup where I define an external DNS server in eero, then the eero includes its address as the DNS server in all DHCP addresses, and forwards the requests.
As a result, though, I can't access my server by [subdomain].[domain].com while *inside* my eero network. I have to instead use DNS shortnames. This is annoying for a number of reasons.
-
I really need this feature too for things in my network as I do go in AND out of my network. I'll be going back to main router with eero in bridge mode. Here is a good link for some speed tests and options. I may be trying the Linksys Velop first. https://arstechnica.com/gadgets/2017/02/linksys-velop-review-uk-mesh-wi-fi/
Sorry eero, I tried to like these.
-
It seems this feature has been requested for a while and still hasn't been answered.
I also need need this feature as I run an IIS server at home. Yes, accessing the server using its internal IP is a workaround.
But this doesn't work efficiently in my case because I run 3 websites in the IIS. I have to use my phone, disconnect it to eero just to be able to access the websites.
When can we we get this feature? This should've been part of the eero since day one, right? Most routers support this now.
-
PLEASE prioritize NAT loopback. I have a home automation & security system that uses my mobile phone's geolocation info to inform the HA controller whether I am "home" or "away". My phone obviously has to be able to reach the HA controller inside my home network to update that status. However, without NAT loopback, the process of updating my home/away status is unreliable. Either I use my internal IP address, and can only notify it that I'm home, or I use my external DNS, and can update it when I leave, but am unable to notify it that I'm home if it tries to send the notification once I'm in range of my home wi-fi. This is frustrating to no end, and has me deeply regretting my Eero purchase.
-
eltonsiu@gmail.com The way I see it, it is up to eero whether they retain me as a customer. I've already made my feelings about the current state of the eero system known via Amazon, so I've done what I can to prevent more people from ending up in the same boat. If eero manages to fix this in the next six months, then perhaps they'll keep me as a customer. If they don't, then I can guarantee you that I'll be looking for sales on the Orbi in November.
-
I’m still salty that eero hasn’t addressed this problem, too, although I do somewhat understand why they don’t implement it since there is a definite security concern for NAT loopback to be enabled by default. Hopefully, though, I can spread some hope for working around this issue without buying new hardware since the eero is an otherwise amazing product. You can of course buy a separate router to use for NAT, but that’s pretty annoying. Although If you own a domain name and have a server computer in your house, preferably running Linux, you can use an internal DNS server to work around the lack of NAT loopback. Basically, what you’ll end up doing is pointing your domain to your external IP through your DNS host, then point your domain on the internal DNS server to the internal IP of whichever device you want to access on both sides of the network. Then in every configuration where you would use your IP, just use your domain instead. This is also pretty nifty since if your external IP changes, you don’t have to reconfigure anything except your domain. A few caveats are that you’ll need a different subdomain for every device in your house that you want to connect to on both sides of the network since they’ll get the same IP externally but a different IP internally. You’ll also need to use the same ports both inside and outside your house unless whatever service you’re using supports SRV records, which is pretty unlikely. And remember to go into your eero configuration and set your DNS server to the internal IP of your internal DNS server. I used the BIND DNS server with this tutorial, modifying it slightly since my house is not a data server. The basic principles are still the same though. Assuming you keep your internal DNS server up to date and don’t do anything foolish with it, I don’t see any of the additional security risks associated with NAT loopback either, but I’m certainly not a network engineer. Hopefully this helps anyone who still really likes eero but wants to do some fancy stuff with their network both inside and out!
-
russwittmann idiot google support. I asked him specifically about NAT loopback and they said they don't have that feature supported. I did like google wifi. But the only thing I didn't like about it is that it doesn't support Class A DHCP.
Do you recommend Google wifi over Eero? I might go back to Google WiFi if it supports the loopback (I tried Google WiFi for half a day). It's hard to code websites running at a home server if eero doesn't support loopback.
-
crispywisp When your router receives a packet addressed to your internal IP, it changes the destination to match the corresponding device on the internal network, assuming you have port forwarding set up. So here's why hairpin NAT doesn't normally work. A device with an internal IP, A, tries to use your external IP, C, to connect to a device with internal IP, B. A device A marks a packet (A->C) and sends it off to the router. The router realizes that since the packet is destined to the external IP, so it should change the destination to the corresponding device inside the network, B. So device B receives a packet (A->B). Device B then replies, so device A gets a packet (B->A). Device A freaks out because it expected a response from C but instead got a response from B. There's not really a whole lot you can do about that. The router has to NAT the packet from (A->C) to be (C->B) and then NAT the response (B->C) to (C->A). As you can see, it would have to NAT both the source and the destination, which isn't something you can easily do. Normally, you can only map the source or the destination or you lose track of what the packet is actually supposed to be. If you want that to actually work, you have to go through annoying processes of marking packets or some other convoluted system. Most implementations just mark packets. But any device on the network can mark its own packets however it wants, so whatever information is contained with the mark, any device on the network can spoof. Best case scenario, a device on the network can spoof being another host on the network to MitM your internal connections. In a worse scenario, which is more likely since implementations can never be bug free, a device on the network can probably spoof being whatever host they want, which is extremely bad news. As such, most enterprise grade hardware disables NAT loopback. For residential networks, it doesn't really matter too much, but the implementation of the feature is pretty ugly and it is somewhat of a risk, which is why eero's team might not be too fired up to work on this. Also, I'm not a network engineer so all of that could be totally wrong, but as far as I know, that's the problem.
-
A lead eero engineer thinks adding this feature will allow anyone on the internet to take over control of your entire network. Of course the reasoning is pretty far out there. I am going with lazy. Add a sub $100 EdgeRouter and put eero in bridge mode. Full control over everything and anything including hairpinning. :)
-
crispywisp please let us know what you think. I have the Google hardware already so I'll try that next. But my CEO built a house recently and used Velop. I setup the wifi there. Those nodes put out a VERY strong signal. I used Ekahau heatmapper and those nodes are the strongest I've seen. Easily twice the reach before considerable dB drop. They had other issues, like their UI lacks features. That stuff will come in time I assume/hope. The Orbi looks nice due to it's dedicated channel for internal communications. Overall the UI I thought was best is Google's. I look forward to a couple years when we get one that has the best features of them all. Cheers!